>> No, the reasons I couldn't use existing tunnel code were: [...]

>> - There are actually two tunnels, decision between which is made
>>    based on the *source* address of the packet.

> it's a hack, but you can use ipf to select the outbound interface
> based on the source address.  [...]

Ah yes, now I recall.

I also needed to rewrite some of the packets in transit, and ipf/ipnat
wasn't capable of doing the rewriting I needed.  I might have been able
to do the tunnels (except for the signing and auto-address-updating)
with ipip or gif, but the rewriting demanded custom hackery.

(What was the rewriting?  Incoming packets for one address on the
telnet port were to get rewritten so as to be destined for another
address and port; outgoing packets from that other address/port were to
be rewritten so as to be coming from the first address on the telnet
port.  And it had to be stateless - rebooting the gateway mustn't break
existing connections.)

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B